<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Get token API | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'security-api-get-token.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-get-token.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-get-token.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/security-api-get-token.html" rel="nofollow" target="_blank">../en/security-api-get-token.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="rest-apis.html">REST APIs</a></span>
»
<span class="breadcrumb-link"><a href="security-api.html">Security APIs</a></span>
»
<span class="breadcrumb-node">Get token API</span>
</div>
<div class="navheader">
<span class="prev">
<a href="security-api-get-role.html">« Get roles API</a>
</span>
<span class="next">
<a href="security-api-get-user.html">Get users API »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="security-api-get-token"></a>Get token API<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/get-tokens.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>

<p>Creates a bearer token for access without requiring basic authentication.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-get-token-request"></a>Request<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/get-tokens.asciidoc">edit</a>
</h3>
</div></div></div>
<p><code class="literal">POST /_security/oauth2/token</code></p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-get-token-prereqs"></a>Prerequisites<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/get-tokens.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
To use this API, you must have the <code class="literal">manage_token</code> cluster privilege.
</li>
</ul>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-get-token-desc"></a>Description<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/get-tokens.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The tokens are created by the Elasticsearch Token Service, which is automatically enabled
when you configure TLS on the HTTP interface. See <a class="xref" href="configuring-tls.html#tls-http" title="Encrypting HTTP client communications">Encrypting HTTP client communications</a>. Alternatively,
you can explicitly enable the <code class="literal">xpack.security.authc.token.enabled</code> setting. When
you are running in production mode, a bootstrap check prevents you from enabling
the token service unless you also enable TLS on the HTTP interface.</p>
<p>The get token API takes the same parameters as a typical OAuth 2.0 token API
except for the use of a JSON request body.</p>
<p>A successful get token API call returns a JSON structure that contains the access
token, the amount of time (seconds) that the token expires in, the type, and the
scope if available.</p>
<p>The tokens returned by the get token API have a finite period of time for which
they are valid and after that time period, they can no longer be used. That time
period is defined by the <code class="literal">xpack.security.authc.token.timeout</code> setting. For more
information, see <a class="xref" href="security-settings.html#token-service-settings" title="Token service settings">Token service settings</a>.</p>
<p>If you want to invalidate a token immediately, you can do so by using the
<a class="xref" href="security-api-invalidate-token.html" title="Invalidate token API">invalidate token API</a>.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-get-token-request-body"></a>Request body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/get-tokens.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following parameters can be specified in the body of a POST request and
pertain to creating a token:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">grant_type</code>
</span>
</dt>
<dd>
<p>
(Required, string) The type of grant.
Supported grant types are: <code class="literal">password</code>, <code class="literal">_kerberos</code>,
<code class="literal">client_credentials</code> and <code class="literal">refresh_token</code>.
</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">client_credentials</code>
</span>
</dt>
<dd>
This grant type implements the Client Credentials Grant of OAuth2. It is geared
for machine to machine communication and is not suitable or designed for the
self-service user creation of tokens. It generates only access tokens that
cannot be refreshed. The premise is that the entity that uses
<code class="literal">client_credentials</code> has constant access to a set of (client, not end-user)
credentials and can authenticate itself at will.
</dd>
<dt>
<span class="term">
<code class="literal">_kerberos</code>
</span>
</dt>
<dd>
This grant type is supported internally and implements SPNEGO based Kerberos
support. The <code class="literal">_kerberos</code> grant type may change from version to version.
</dd>
<dt>
<span class="term">
<code class="literal">password</code>
</span>
</dt>
<dd>
This grant type implements the Resource Owner Password Credentials Grant of
OAuth2. In this grant, a trusted client exchanges the end user’s credentials
for an access token and (possibly) a refresh token. The request needs to be made
by an authenticated user but happens <em>on behalf</em> of another authenticated user
(the one whose credentials are passed as request parameters). This grant type is
not suitable or designed for the self-service user creation of tokens.
</dd>
<dt>
<span class="term">
<code class="literal">refresh_token</code>
</span>
</dt>
<dd>
This grant type implements the Refresh Token Grant of OAuth2.
In this grant a user exchanges a previously issued refresh token for a new access token and a new refresh token.
</dd>
</dl>
</div>
</dd>
<dt>
<span class="term">
<code class="literal">password</code>
</span>
</dt>
<dd>
(Optional<sup>*</sup>, string) The user’s password. If you specify the <code class="literal">password</code> grant type, this
parameter is required. This parameter is not valid with any other supported
grant type.
</dd>
<dt>
<span class="term">
<code class="literal">kerberos_ticket</code>
</span>
</dt>
<dd>
(Optional<sup>*</sup>, string) The base64 encoded kerberos ticket. If you specify the
<code class="literal">_kerberos</code> grant type, this parameter is required. This parameter is not valid
with any other supported grant type.
</dd>
<dt>
<span class="term">
<code class="literal">refresh_token</code>
</span>
</dt>
<dd>
(Optional<sup>*</sup>, string) The string that was returned when you created the token,
which enables you to extend its life. If you specify the <code class="literal">refresh_token</code> grant
type, this parameter is required. This parameter is not valid with any other
supported grant type.
</dd>
<dt>
<span class="term">
<code class="literal">scope</code>
</span>
</dt>
<dd>
(Optional, string) The scope of the token. Currently tokens are only issued for a scope of
<code class="literal">FULL</code> regardless of the value sent with the request.
</dd>
<dt>
<span class="term">
<code class="literal">username</code>
</span>
</dt>
<dd>
(Optional<sup>*</sup>, string) The username that identifies the user. If you specify the <code class="literal">password</code>
grant type, this parameter is required. This parameter is not valid with any
other supported grant type.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-get-token-example"></a>Examples<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/get-tokens.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following example obtains a token using the <code class="literal">client_credentials</code> grant type,
which simply creates a token as the authenticated user:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/oauth2/token
{
  "grant_type" : "client_credentials"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2103.console"></div>
<p>The following example output contains the access token, the amount of time (in
seconds) that the token expires in, and the type:</p>
<div class="pre_wrapper lang-console-result">
<pre class="programlisting prettyprint lang-console-result">{
  "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "type" : "Bearer",
  "expires_in" : 1200
}</pre>
</div>
<p>The token returned by this API can be used by sending a request with a
<code class="literal">Authorization</code> header with a value having the prefix <code class="literal">Bearer ` followed
by the value of the `access_token</code>.</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">curl -H "Authorization: Bearer dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==" http://localhost:9200/_cluster/health</pre>
</div>
<p>The following example obtains a token for the <code class="literal">test_admin</code> user using the
<code class="literal">password</code> grant type:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/oauth2/token
{
  "grant_type" : "password",
  "username" : "test_admin",
  "password" : "x-pack-test-password"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2104.console"></div>
<p>The following example output contains the access token, the amount of time (in
seconds) that the token expires in, the type, and the refresh token:</p>
<div class="pre_wrapper lang-console-result">
<pre class="programlisting prettyprint lang-console-result">{
  "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "type" : "Bearer",
  "expires_in" : 1200,
  "refresh_token": "vLBPvmAB6KvwvJZr27cS"
}</pre>
</div>
<p><a id="security-api-refresh-token"></a>To extend the life of an existing token obtained using the <code class="literal">password</code> grant type,
you can call the API again with the refresh token within 24 hours of the token’s
creation. For example:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/oauth2/token
{
    "grant_type": "refresh_token",
    "refresh_token": "vLBPvmAB6KvwvJZr27cS"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2105.console"></div>
<p>The API will return a new token and refresh token. Each refresh token may only
be used one time.</p>
<div class="pre_wrapper lang-console-result">
<pre class="programlisting prettyprint lang-console-result">{
  "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "type" : "Bearer",
  "expires_in" : 1200,
  "refresh_token": "vLBPvmAB6KvwvJZr27cS"
}</pre>
</div>
<p>The following example obtains a access token and refresh token using the <code class="literal">kerberos</code> grant type,
which simply creates a token in exchange for the base64 encoded kerberos ticket:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">POST /_security/oauth2/token
{
  "grant_type" : "_kerberos",
  "kerberos_ticket" : "YIIB6wYJKoZIhvcSAQICAQBuggHaMIIB1qADAgEFoQMCAQ6iBtaDcp4cdMODwOsIvmvdX//sye8NDJZ8Gstabor3MOGryBWyaJ1VxI4WBVZaSn1WnzE06Xy2"
}</pre>
</div>
<p>The API will return a new token and refresh token if kerberos authentication is successful.
Each refresh token may only be used one time. When the mutual authentication is requested in the Spnego GSS context,
 a base64 encoded token will be returned by the server in the <code class="literal">kerberos_authentication_response_token</code>
 for clients to consume and finalize the authentication.</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "type" : "Bearer",
  "expires_in" : 1200,
  "refresh_token": "vLBPvmAB6KvwvJZr27cS"
  "kerberos_authentication_response_token": "YIIB6wYJKoZIhvcSAQICAQBuggHaMIIB1qADAg"
}</pre>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="security-api-get-role.html">« Get roles API</a>
</span>
<span class="next">
<a href="security-api-get-user.html">Get users API »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>